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Fig. 5 



A MASTER KEY 







AN APPLICATION CONTAINER THAT HOLDS A SEALED 
OR UNSEALED FORM OF THE DATA THAT THE 
APPLICATION WANTS TO ACCESS 



A CRYPTOGRAPHIC GATEKEEPING MODULE THAT 
PERFORMS A CRYPTOGRAPHIC DIGEST OF A PORTION OF 
THE BYTES THAT MAKE UP THE CALLING APPLICATION TO 

COMPUTE A CRYPTOGRAPHIC TRANSFORMATION 



A CRYPTOGRAPHIC PROCESSING MODULE THAT 
INCLUDES INTEGRITY-CHECKING THAT EXAMINES THE 
APPLICATION CONTAINER AND CRYPTOGRAPHIC 

TRANSFORMATION, AND THE MASTER KEY TO 
DETERMINE IF THE APPLICATION IS ALLOWED TO 
UNSEAL THE DATA IN THE GIVEN APPLICATION 
CONTAINER, OR WHEN SEALING THE DATA MODIFIES IT 
TO ADD THE INTEGRITY CHECK INFORMATION 



Fig. 2 
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Fig. 6 



A MASTER KEY 







AN APPLICATION CONTAINER THAT HOLDS A SEALED 
OR UNSEALED FORM OF THE DATA THAT THE 
APPLICATION WANTS TO ACCESS 



A CRYPTOGRAPHIC GATEKEEPING MODULE THAT 
PERFORMS A CRYPTOGRAPHIC DIGEST OF A PORTION OF 
THE BYTES THAT MAKE UP THE CALLING APPLICATION TO 

COMPUTE A CRYPTOGRAPHIC TRANSFORMATION 



A CRYPTOGRAPHIC PROCESSING MODULE THAT INCLUDES 
INTEGRITY-CHECKING THAT EXAMINES THE APPLICATION 

CONTAINER AND CRYPTOGRAPHIC TRANSFORMATION, AND 
THE MASTER KEY TO DETERMINE IF THE APPLICATION IS 

ALLOWED TO UNSEAL THE DATA IN THE GIVEN APPLICATION 

CONTAINER, OR WHEN SEALING THE DATA MODIFIES IT TO 
ADD THE INTEGRITY CHECK INFORMATION 



Fig. 7 



AN ENROLLMENT PROCESS INCLUDING 

A FIRST CRYPTOGRAPHIC OPERATION 
PERFORMED DURING A SYSTEM MANAGEMENT 
INTERRUPTION (SMI) ON THE DEVICE PRODUCING A 
RESULT THAT IS SENT TO THE DEVICE AUTHORITY 

A SECOND CRYPTOGRAPHIC OPERATION PERFORMED 
DURING AN SMI INTERRUPT ON THE DEVICE 
PROCESSING A VALUE GENERATED BY THE DEVICE 
AUTHORITY THAT IS RECEIVED BY THE DEVICE 



A REGISTRATION PROCESS INCLUDING 



A FIRST CRYPTOGRAPHIC OPERATION PERFORMED 
DURING AN SMI INTERRUPTION ON THE DEVICE 
PRODUCING A RESULT THAT IS SENT TO THE 
AUTHENTICATION SERVER 

A SECOND CRYPTOGRAPHIC OPERATION PERFORMED 

BY THE AUTHENTICATION SERVER PRODUCING A 
CRYPTOGRAPHIC VARIABLE THAT IS STORED FOR USE 
DURING THE AUTHENTICATION METHOD 



AN OPTIONAL THIRD CRYPTOGRAPHIC OPERATION 
PERFORMED DURING AN SMI INTERRUPT ON THE DEVICE 
PROCESSING A VALUE GENERATED BY THE AUTHENTICATION 
SERVER THAT IS RECEIVED BY THE DEVICE 



AN AUTHENTICATION PROCESS INCLUDING 



A FIRST CRYPTOGRAPHIC OPERATION PERFORMED 

DURING AN SMI INTERRUPTION ON THE DEVICE 
PRODUCING AUTHENTICATION DATA THAT IS SENT 
TO THE AUTHENTICATION SERVER 

A SECOND CRYPTOGRAPHIC OPERATION PERFORMED BY THE 
AUTHENTICATION SERVER ON THE AUTHENTICATION DATA 
RECEIVED FROM THE DEVICE USING AT LEAST THE 
CRYPTOGRAPHIC VARIABLE STORED DURING THE 
REGISTRATION METHOD TO DETERMINE THE RESULT OF THE 

AUTHENTICATION 



Fig. 8 



AN APPLICATION THAT 

PERFORMS AN ENROLLMENT METHOD INVOLVING COMMUNICATION 
WITH A DEVICE AUTHORITY AND AN AUTHENTICATION SERVER TO 
CREATE AN APPLICATION CONTAINER DATA STRUCTURE ON THE 
DEVICE, WHEREIN THE APPLICATION CONTAINER DATA STRUCTURE IS 
CRYPTOGRAPHICALLY ASSOCIATED WITH THE APPLICATION 

STORES CREDENTIAL INFORMATION 

THE AUTHENTICATION SERVER STORES A CRYPTOGRAPHIC VARIABLE 
FOR THE APPLICATION CONTAINER DATA STRUCTURE 



AN APPLICATION RUNNING ON THE IDENTIFIED DEVICE THAT PERFORMS 
AN AUTHENTICATION METHOD INCLUDING 



UNSEALING THE APPLICATION CONTAINER DATA STRUCTURE THAT 

STORES THE CREDENTIALS 

MODIFYING THE CREDENTIALS 

RESEALING THE APPLICATION CONTAINER DATA STRUCTURE 

SENDING IDENTIFYING INFORMATION AND AT LEAST A PORTION OF THE 
RESEALED APPCONTAINER TO THE AUTHENTICATION SERVER 

WHEREIN AT LEAST PART OF THE RESEALING OPERATION TAKES PLACE 
DURING AN SMI ON THE SAME CPU THAT EXECUTES THE CODE OF THE 

APPLICATION 



WHICH AUTHENTICATION SERVER 

RECEIVES THE IDENTIFYING INFORMATION AND AT LEAST A PORTION OF 
THE APPLICATION CONTAINER DATA STRUCTURE 

USES THE IDENTIFYING INFORMATION TO LOOKUP OR COMPUTE A 
CRYPTOGRAPHIC VARIABLE TO UNSEAL THE APPLICATION CONTAINER 

DATA STRUCTURE, 

IF THE UNSEALED APPLICATION CONTAINER HAS ACCEPTABLE VALUES 
THEN THE SPECIFIC APPLICATION ON A SPECIFIC DEVICE IS CONSIDERED 

TO BE AUTHENTICATED; AND 

STORES A KEY ASSOCIATED WITH THE APPLICATION CONTAINER DATA 

STRUCTURE. 



Fig. 9 



AN APPLICATION FOR EACH KIND OF VIRTUAL TOKEN 


i 




AN APPLICATION CONTAINER FOR EACH 
VIRTUAL TOKEN OF A SPECIFIC KIND 


1 





A CRYPTOGRAPHIC GATEKEEPING COMPONENT THAT 
COMPUTES AN CRYPTOGRAPHIC TRANSFORMATION OF A 
CALLING APPLICATION THAT IS REQUESTING 
CRYPTOGRAPHIC SERVICES OF A CRYPTOGRAPHIC 
PROCESSING COMPONENT 



WHEREIN THE CRYPTOGRAPHIC GATEKEEPING COMPONENT 
KNOWS ONE OR MORE LONG-LIVED SYMMETRIC KEYS, AND 
WHEREIN THE CRYPTOGRAPHIC PROCESSING COMPONENT IS 

ACCESSED VIA THE CRYPTOGATE COMPONENT, THE 
CRYPTOGRAPHIC PROCESSING COMPONENT KNOWS ONE OR 
MORE LONG-LIVED SYMMETRIC KEYS AND ONE OR MORE 
LONG-LIVED PUBLIC KEYS 

I 



WHEREIN THE CRYPTOGRAPHIC PROCESSING COMPONENT 
COMPONENT CHECKS THE INTEGRITY OF THE CALLING 
APPLICATION BY CHECKING A DIGITAL SIGNATURE OF A PORTION 
OF THE APPLICATION'S CODE OR STATIC DATA, USING A PUBLIC 
KEY THAT HAS BEEN LOADED INTO THE CRYPTOENGINE AND A 
CRYPTOGRAPHIC TRANSFORMATION VALUE 

WHEREIN THE CRYPTOGRAPHIC TRANSFORMATION VALUE 
INCLUDES A RECENTLY COMPUTED CRYPTOGRAPHIC HASH OF A 
PORTION OF THE CALLING APPLICATION'S IN-MEMORY IMAGE 

WHEREIN THE CRYPTOGRAPHIC GATEKEEPING AND 
CRYPTOGRAPHIC PROCESSING COMPONENT 

DERIVE A KEY FOR UNSEALING THE APPLICATION CONTAINER 
DATA STRUCTURE FROM THE MASTER KEY AND CRYPTOGRAPHIC 

TRANSFORMATION 

USE THE DERIVED KEY TO CHECK THE MESSAGE 
AUTHENTICATION CODE ON THE APPLICATION CONTAINER DATA 
STRUCTURE, AND RETURNS AN ERROR IF THE MESSAGE 
AUTHENTICATION CODE IS CORRECT 

USE THE DERIVED KEY TO DECRYPT THE DATA IN THE 
APPLICATION CONTAINER DATA STRUCTURE AND RETURN IT TO 

THE APPLICATION. 
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Table 1 0 

PubKcontiner structure with embedded MKContainer 



Offset 


Size 


Field Name 


Description 


0x00 


1 bytes 


OpCode 


Indicates contents and format of the data field 


0x01 


1 bytes 


Format 


FmtPubKContainer 


0x02 


4 bytes 


Reserved 


0. This will be used in the future for 
extended opcode information. 


0x06 


2 bytes 


Length 


Count of remaining bytes with MSB first. For a 
sealed container this includes the length of Mac 
and Padding bytes, for an unsealed container it 
does not include either the Mac or Padding byte 
lengths (i.e., it specifies the total byte length of 
items at offsets ###todo: get offsets). 


0x08 


20 
bytes 


PublicKeyDigest 


Result of SHA1 digest of the public key 
(generally the Server Communication Key). 




"1 09 

I <ZX5 

bytes 


Pi ihKR^ ARInnU- 
r uurvnoMDiUQ/K 


When unsealed this field begins with padding 
bytes set to zero and ends with Opcode II 
Format II KID II MK. These fields have fixed 
lengths. When sealed, this is an RSA encrypted 
value. The Opcode is item 1 above, not the 
Opcode for the MKContainer. If the first part is 
reused, the Opcode in the PubKRSABIock may 
not match item 1 but instead may be one of a 
small number of acceptable alternative values 
that indicate the reuse of the block. 


Embeded MKContainer starts at offset 0x98 


+0x00 


1 bytes 


OpCode 


Indicates contents and format of the data field 


+0x01 


1 bytes 


Format 


FmtMKContainer 


+0x02 


4 bytes 


Reserved 


0. This will be used in the future for 
extended opcode information. 


+0x06 


2 bytes 


Length 


Count of remaining bytes with MSB first. 
The unseal length includes items at offsets 
+0x04 to +0x3C, whereas the sealed length 
includes items at offsets. 


+0x08 


20 bytes 


MKDigest 


20 byte result of SHA1 digest of the Master 
Key stored in the 1st part PubKRSABIock. 


+0x1 c 


1 6 bytes 


Initialization 
Vector (IV) 


Random initialization vector for Cipher Block 
Chaining (CBC) mode. IV is passed in by the 
OSD Security module. 


+0x2c 


20 bytes 


SealersCode 
Digest (SCD) 


Result of SHA1 digest of code for the 
program that sealed this container. The SCD 
is set to zero if the container was sealed by 
the Device Authority server. The SCD is 
passed in by the OSD Security module. 


+0x40 


0-64000 
bytes 


Data 


Data with a format determined by the OpCode. 


Varies 


20 bytes 


MAC 


HMAC cryptographic primitive = HMAC 
(NewKey(Key, UsageMKMac), Payload) 


Varies 


1-16 
bytes 




Number of Pad bytes is set to make sure that 
the Plaintext is a multiple of 16 bytes. Each 
padding byte has a value equal to the number 
of padding bytes in the Pad buffer. 



Table 1 1 



Final Sealed PubKContainer Structure 



nit^ivj i\cuiit2 




OpCode 


Indicates contents and format of the data field 


Format 


FmtPubKContainer 


Reserved 


0. This will be used in the future for 
extended opcode information. 


Length 


Count of remaining bytes with MSB first. For a 
sealed container this includes the length of the Mac 
and Padding bytes, for an unsealed container it does 
not include either the Mac or Padding byte lengths 
(i.e., it specifies the total byte length of items at 
offsets ###todo: get offsets). 


PublicKeyDigest 


Result of SHA1 digest of the public key 
(generally the Server Communication Key). 


PubKRSABIock 


When unsealed this field begins with padding bytes set to 
zero and ends with Opcode II Format II KID II MK. These 
fields have fixed lengths. When sealed, this is an RSA 
encrypted value. The Opcode is item 1 above, not the 
Opcode for the MKContainer. If the first part is reused, the 
Opcode in the PubKRSABIock may not match item 1 but 
instead may be one of a small number of acceptable 
alternative values that indicate the reuse of the block. 


Embedded MKcontainer starts at offset 0x98 


OpCode 


Indicates contents and format of the data field 


Format 


FmtMKContainer 


Reserved 


0. This will be used in the future for 
extended opcode information. 


Length 


Count of remaining bytes with MSB first. The unseal 
length includes items at offsets +0x04 to +0x3C, 
whereas the sealed length includes items at offsets. 


MKDigest 


20 byte result of SHA1 digest of the Master 
Key stored in the 1st part PubKRSABIock. 


InitializationVector 
(IV) 


Random initialization vector for Cipher Block Chaining (CBC) 
mode. IV is passed in by the OSD Security module. 


SealersCodeDigest 
(SCD) 


Result of SHA1 digest of code for the program that 
sealed this container. The SCD is set to zero if the 
container was sealed by the Device Authority server. 
The SCD is passed in by the OSD Security module. 


Data 


Data with a format determined by the OpCode. 


MAC 


HMAC cryptographic primitive = HMAC 
(NewKey(Key, UsageMKMac), Payload) 


Pad 


Number of Pad bytes is set to make sure that the Plaintext is 
a multiple of 16 bytes. Each padding byte has a value equal 
to the number of padding bytes in the Pad buffer. 



Table 1 2 



Final Sealed PubKContainer Structure 



Field Name 


Description 


OpCode 


Indicates contents and format of the data field 


Format 


FmtPubKContainer 


Reserved 


0. This will be used in the future for extended 
information. opcode 


Length 


Count of remaining bytes with MSB first. For a sealed 
container this includes the length of the Mac and Padding 
bytes, for an unsealed container it does not include either 
the Mac or Padding byte lengths (i.e., it specifies the total 
byte length of items at offsets ###todo; get offsets). 


PublicKeyDigest 


Result of SHA1 digest of the public key (generally the 
Server Communication Key). 


PubKRSABIock 


When unsealed this field begins with padding bytes set to 
zero and ends with Opcode II Format II KID II MK. These 
fields have fixed lengths. When sealed, this is an RSA 
encrypted value. The Opcode is item 1 above, not the 
Opcode for the MKContainer. If the first part is reused, the 
Opcode in the PubKRSABIock may not match item 1 but 
instead may be one of a small number of acceptable 
alternative values that indicate the reuse of the block. 


Embeded MKContainer starts at offset 0x98 


OpCode 


Indicates contents and format of the data field 


Format 


FmtMKContainer 


Reserved 


0. This will be used in the future for extended 
opcode information. 


Length 


Count of remaining bytes with MSB first. The unseal 
length includes items at offsets +0x04 to +0x3C, whereas 
the sealed length includes items at offsets. 


MKDigest 


20 byte result of SHA1 digest of the Master 
Key stored in the 1st part PubKRSABIock. 


InitializationVector 
(IV) 


Random initialization vector for Cipher Block Chaining 
(CBC) mode. IV is passed in by the OSD Security module. 


SealersCode 
Digest (SCD) 


Result of SHA1 digest of code for the program that sealed 
this container. The SCD is set to zero if the container was 
sealed by the Device Authority server. The SCD is passed 
by the OSD Security module. 


Data 


Data with a format determined by the OpCode. 


MAC 


HMAC cryptographic primitive = HMAC (NewKey(Key, 
UsageMKMac), Payload) 


Pad 


Number of Pad bytes is set to make sure that the Plaintext 
is a multiple of 16 bytes. Each padding byte has a value 
equal to the number of padding bytes in the Pad buffer. 
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